Encrypted File System (EFS) . Sankara Narayanan. CSE 785 Computer Security, Syracuse University, NY Spring 2003 – 2004. What will be covered!!! refer inline comments. EFS– What is this? A user’s Perspective. Objective Motivation Related Work and Papers Top Notch Encryption Algorithms
Encrypted File System (EFS) Sankara Narayanan. CSE 785 Computer Security, Syracuse University, NY Spring 2003 – 2004
What will be covered!!!refer inline comments • EFS– What is this? A user’s Perspective. • Objective • Motivation • Related Work and Papers • Top Notch Encryption Algorithms • Design and Implementation Ideas Proposed • Design Issues – An Area to be really looked on • Sample EFS Demo Sites.
EFS—A users perspective. • Encrypted File System (EFS) provides the core file encryption technology used to store encrypted files on the File System. • Corporate world is very competitive, so any code, system specifications, often needs to be controlled. • We have to share data among many users or groups, the potential risk for a computer security from a users perspective. • Password Security – Does nothing to preventing a disk being mounted on a different system and reading the contents.
Why EFS– User’s Perspective..Continued… • The need for Encryption Technology arises from the perspective of an user. • Now many universities and organizations have an EFS design for this reason. • WELCOME TO THE WORLD OF EFS.
Objectives.. • The Disk Encryption reduce risk of data exposure in a specific, if uncommon, scenario. • To avoid system risks such as: • Computer is bodily stolen. • Someone inside the company is trying to compromise information. • The system is cracked while attached to a network or with some malicious software. • The primary benefit of the encrypted disk system is defense against device theft, and making your system a more secured one. Though, the risks are partially mitigated.
Motivation—Why EFS? • Security—First and Foremost • Secures Data from being accessed by any malicious user / hacker. • Privacy • Ensure that private data is not accessed by other users ( may not be malicious). • Reliability – An integral component • Only responsible people are provided access to important data • Resource Sharing • Many users can use the same system and still can work independently.
Related Work and Papers • StegFS: A Steganographic File System for Linux, University of Cambridge. • CFS: Cryptographic File System, Temple University. • SFS: Secure File system, University of Minnesota and StorageTek. • TCFS: Transparent Cryptographic File System, University of Salerno (Italy). • Cryptfs: A Stackable Vnode Level Encryption File system, University of Columbia.
CFS: Cryptographic File system refer inline comments • CFS File System is implemented on the Debian Distribution. • Completely implemented at the user level. • CFS runs a daemon “cfsd”which uses the system calls to read and write the file contents. • Encrypted before reading and decrypted before writing. • Simple and Easy to understand.
TCFS: Transparent Cryptographic File System. • TCFS (Transparent Cryptographic File System) has been developed at the University of Salerno (Italy) and is currently availablefor Linux. • TCFS is like an extended NFS. It acts just like NFS, but allows a user to protect his/her files using encryption. • TCFS works as a layer under the VFS (Virtual File system Switch) layer, making it completely transparent to the applications.
TCFS: Continued…refer inlinecomments • The security is guaranteed by means of the DES (data encryption standard) algorithm. • A TCFS user trust only the kernel and the super user of the client machine accessing the data. • Application areas where TCFS is used: a network of workstations with limited disk space, each used almost exclusively by a limited number of users (you can even think of each user as the super user of his/her own workstation) and a remote file server sharing files with all the workstations
TCFS: Continued…refer inlinecomments • The security mechanism must guarantee that secure files are not readable: • by any user other than the legitimate owner. • by tapping the communication lines between the user and the remote file system server. • by the super user of the file system server. • In TCFS, security acts in a transparent way. Secure files can be accessed in the same way as local files--the user has only to authenticate himself to TCFS before starting to work.
Working of TCFS Files stored on Encrypted form in server Each user has a different Encryption key to access TCFS Login Utility – Provides Encryption key Read a block of data from Server – NFS Protocol Requested block is decrypted first and then passed to application Data block written by application is first encrypted with user’s key and then passed to server
StegFS: Steganographic File System • First, like any file system, it is able to manage the storage of files on a disk. • Second, it provides a mechanism for hiding files. This allows a user to plausibly deny the number of files stored on disk. • Third, it provides a mechanism for accessing files that have been hidden.
Continued..StegFS • The file system implementation is installed along side the normal Ext2fs, Minix etc drivers between the VFS interface and blockbuffer cache. • StegFS contains the full functionality for Ext2fs driver for compatible access to non-hidden files. • StegFS distinguishes regular files and directory files. • StegFS also has a block allocation table (same as block allocation bitmap) for storing encrypted checksums for each block.( for detecting overwritten blocks).
Functionality of StegFS • The confidentiality of all hidden files are guaranteed. • Deletion of hidden or non-hidden leads automatically to their secure destruction. • Users can plausibly deny the number of files stored on the disk. • Lower layers can be voluntarily compromised without revealing the higher layers.
Top Notch Encryption Algorithms… • AES – Advanced Encryption Standard (Rijndael). • DES - Data Encryption Standard (DES) algorithm, adopted by the U.S. government in 1977. • 3DES – Triple DES. • Blowfish
General Kernel Architecture. User Process open(), read(), write(), etc System Call Interface VFS Kernel Ext2fs Minix FS Buffer Cache Device Driver Disk Controller Hardware
Design and Implementation Ideas.. • Many of the Implementation that we have seen here, has a kernel level implementation of the file system. • Certain implementations have also user level daemons running that call the kernel level programs ( e.g.: NFS) • I am just describing one system architecture, each of the project team has to come up with their own creative designs.
Example -- General System Architecture This blocks data size Encrypted Data Area KeyID Each Blocks max Data size Block Size User Accessible Memory read() write() Key DB Key Encryption and Decryption Process
Design Issues..An area to be looked on... • The file pointer issues. • Buffer overflow problems – how are you going to deal with this. • Key Management – An area worth thinking about how you will manage your keys. • What effect does the process like read and write have on the files? • How are you going to define your system policy? • Problems related with revocation, change ownership etc.
Sample EFS Demo Sites. • You can run and see how the EFS works, I am listing some sample sites: • http://www.geocities.com/openpgp/linux_en.html • http://www.linux.se/doc/lasg-www/encryption/
Conclusion. Thank You.